On December 5, 1995 the Office of the Assistant Secretary
of Defense approved this ISL for publication.

This issue of the Industrial Security Letter (ISL)
is in response to questions received regarding Chapter 8 of the
NISPOM,"Automated Information System (AIS) Security"

Question: ISL 95L-1 and paragraph 1-102c of the
NISPOM both state that if any provision of the NISPOM costs more
to implement than the 1991 ISM, a notification to my Field Office (FO) explaining the
ISM policy, along with an explanation of the additional cost,
could result in an extension of up to three years. It is my understanding that I had until
July 31, 1995 to do so. Although it is well past the deadline,
I have not identified the more costly requirements to my FO nor have I implemented certain
new requirements of Chapter 8. What guidance can you provide?

Answer: DIS understood that the July 31st deadline
established for implementation would be difficult for some contractors,
impossible for others.

Therefore, contractors that have not yet implemented
NISPOM requirements, should develop an implementation schedule
consistent with the guidance provided in ISL 95L-1 or ask for a waiver pursuant
to paragraph 1-102c of the NISPOM. Your IS Rep and/or AIS Specialist
will assist you in developing a timetable for conversion.

Question: Is it necessary to convert AISSPs for
systems approved under previous policy, merely to make them consistent
with the format in paragraph 8-202 of the NISPOM?

Answer: AISSPs for previously accredited systems
must be updated to incorporate substantive policy and procedural
changes contained in the NISPOM.

However, it is not necessary to update or convert
AISSPs simply to conform to the format at paragraph 8-202 of the
NISPOM. The format of AISSPs is not of any particular significance to the Department of
Defense. The arrangement of information within AISSPs should be
determined by each Information Systems Security Representative (ISSR) based upon company
needs.

Question: Can I process classified information
associated with a contract awarded after July 31, 1995, on an
AIS approved under ISM standards?

Answer: Yes. Systems accredited (approved) under
previous policy (the Industrial Security Manual) remain accredited
and may continue to be used for processing classified information. There are no plans
to summarily withdraw accreditations or to prohibit classified
processing for AISs accredited under the ISM. However, it is important that contractors
implement the requirements of the NISPOM in a timely manner. Systems
being used for new contracts should be scheduled for conversion to the NI SPOM requirements
as soon as possible.

Question: All of my ISM approved SPPS were updated
to include the NISPOM requirements and forwarded to my field office
for accreditation. When can I begin to follow the new AISSPs?

Answer: As soon as you receive interim or final approval
from DIS. Until you receive such approval, you should continue
to use the previously approved procedures.

Question: Paragraphs 8-100b, 8-102(12), and 8-403c(1)
discuss the "threat" as it relates to the accredited
AIS. How do contractors obtain threat data?

Answer: The standards and requirements of the NISPOM
are designed in response to the general threat. When specific
threat information known to the DoD exists, it will be conveyed to the facility FSO (usually
by DIS) who will advise the ISSR as necessary.

Question: Paragraph 8-101 states that Chapter
8 describes the minimum security requirements for an AIS "processing"
classified information. Taken literally, does this mean that Chapter 8 would not
apply when the AIS is "not processing" classified information?

Answer: No, the requirements of Chapter 8, specifically
paragraph 8-300 (Physical Security) and paragraph 8-301 (Software
Controls) apply throughout all phases of accreditation. "Processing"
as discussed in paragraph 8-101 should be interpreted as "accredited
to process."

Question: Paragraph 8-102b states that the contractor
shall appoint an ISSR and identifies 18 responsibilities. Can
multiple ISSR's be appointed or can designated security custodians (8-102b(10)) act
in behalf of the ISSR?

Answer: Only one ISSR can be appointed by the contractor
(each cleared facility). However, security custodians can be designated
by the ISSR in facilities with multiple AISs or multiple classified
shifts to act on behalf of the ISSR.

Answer: The interval for audit reviews is dependent
upon the security mode and amount of classified information processed.
The frequency of audit reviews should be mutually determined between the
ISSR and DIS representatives, but as a general rule, these reviews
should be weekly.

Question: Paragraph 8-102b(13) states that a Memorandum
of Agreement (MOA) is required when the AIS supports multiple
CSAs and paragraph 8-401b states that an MOA is required when there are multiple
accrediting authorities. When is an MOA required?

Answer: An MOA is required when there is an interconnection
of 2 or more AISs having different accrediting authorities in
order to stipulate the terms and conditions for the overall security of the network.
The resulting network must be separately accredited by the Cognizant
Security Agency (CSA), that is, the Department of Defense (DoD), the Department of
Energy, the Central Intelligence Agency, or the Nuclear Regulatory
Commission. If the DoD is the accrediting agency for all AISs proposed for the
interconnected network, the DoD would be responsible for accrediting
the resulting network of systems.

The DoD accrediting authority, normally the Defense
Investigative Service, is responsible for the accreditation of
the network jointly wit h all DoD components and non-DoD agencies that have separately
accredited AISs proposed for the network.

Question: Paragraph 8-200d states that accreditation
can be withdrawn by the CSA when there is an unacceptable change
in the system or its security configuration. Please explain.

Answer: The CSA is obligated to withdraw accreditation
when a change is made to the AIS that could reasonably result
in the compromise of classified information.

Question: Paragraph 8-200e does not appear to
limit the contractor's self-approval authority to only the dedicated
mode as does paragraph 8-102b(16). Can self-approval authority be authorized
for the system high, compartmented and/or multilevel mode?

Answer: Self approval authority is only authorized
for the dedicated mode. The ISSR may also approve changes to dedicated
and system high mode AISs pursuant to paragraph 8-102b(17).

Question: Paragraph 8-200f states that an AIS
may be reaccredited after review, analysis and approval of an
updated AISSP. What events require reaccreditation?

Answer: Any hardware, software or procedural change
that the ISSR and/or the CSA determines will affect accredited
security controls of the AIS.

Question: Is an inventory listing required as
part of the configuration management procedures described in paragraph
8-202b?

Answer: As a practical matter, all major hardware/firmware
configured for classified processing must be identified by nomenclature,
model and manufacturer. All resident software used for classified
and unclassified processing must be identified by software name,
version, manufacturer, and intended use or function. The ISSR or designee is
responsible for maintaining and keeping such information current.

Question: Paragraph 8-202b refers to "installation
structures" as being part of the CM procedures. What are
they?

Answer: The procedures or process used to install
hardware or software.

Question: Paragraph 8-202c(3) refers to "transaction
receipts" as part of the accredited AIS audit features and
controls. What are they?

Answer: Any receipts associated with the AIS, such
as maintenance, from accreditation to final declassification.

Question: Paragraph 8-202g states that individuals
receiving AIS training "may" be required to sign an
agreement to abide by the security
requirements specified in the AISSP. When should
this agreement be required?

Answer: The decision to require execution of an agreement
is made by the ISSR.

Question: If a contractor is processing only
collateral classified information on an AIS, would there ever
be a requirement to process in the compartmented mode?

Answer: No.

Question: Paragraph 8-204b(1) states that security
requirements for the dedicated mode will "enforce system
access procedures." Are the access
procedures physical, logical, and/or administrative?

Answer: Contractors may use physical, technical and/or
administrative measures to control access to dedicated mode AISs;
however, technical security controls are not required for dedicated mode AISs.

Question: What are the audit requirements for the dedicated mode?

Answer: The audit logs identified in paragraph 8-303
are the only audit requirements for the dedicated mode.

Question: Paragraph 8-208b discusses the use
of a "time lockout" during interactive sessions in the
system high mode. Are "time lockouts" required
beginning in the system high mode?

Answer: No. Time lockouts were included in the NISPOM
as a means of assisting the AIS user in protecting classified
information. Under normal
circumstances, AIS users should never leave their
terminal unattended during classified processing. However, if
necessary, time lockouts are available as
part of the access control policy as long as their
use is described in the AISSP.

Question: Paragraph 8-208c requires that the
security features at the system high mode provide an audit trail
capability. Does this mean only the
"capability" and the actual auditing of
user events is not required?

Answer: No. Beginning at the system high mode, automated
audit trails are required.

Question: Paragraph 8-208c identifies two audit
events for the system high mode, where the 1991 ISM identified
many. Are these the only two audit events that have to be recorded?

Answer: Yes.

Question: In discussing the logon attempt rate, paragraph 8-208g(3)(a) states that the CSA will approve other
such methods besides those that are listed. What are they?

Answer: The methods discussed in the NISPOM are common
practices; however, other methods meeting the intent of the requirements
of user authentication are also acceptable.

Question: Paragraph 8-209a states that beginning
at the system high mode, "hardware and software is examined
when received from the vendor." Is
the vendor the person or place where you buy or lease
your AIS? What if the hardware and/or software is received not
directly from the vendor but from a third party?

Answer: All hardware and software must be examined
before being used, regardless of the source.

Question: If I have contracts that have compartments
or subcompartments, and I have an accredited compartmented mode
AIS, can I also process classified collateral information?

Answer: As a general rule, yes. The ISSR should consult
with appropriate contract and accreditation officials.

Question: Paragraph 8-213 discusses the multilevel
security mode. One of the conditions of this mode is that all
users have a personnel security
clearance (PCL). My customer runs a multilevel system
and they allow uncleared users. What should I do if my customer
wants to network my AIS to their multilevel system?

Answer: Uncleared contractor personnel are not allowed
to be users or to access an AIS accredited to process classified
information. Accordingly, the possibility of a policy exception would have to be
considered by the CSA in coordination with the customer.

Question: Paragraph 8-300b requires that attended
classified processing " shall take place in an area, normally
a Restricted Area, where authorized
persons can exercise constant surveillance and control
of the AIS." What requirements should I use in establishing
restricted areas?

Question: Paragraph 8-300b states that all unescorted
personnel to the area where classified processing is taking place
"must have a government
granted PCL..." Is the requirement directed
to the thousands of contractor granted CONFIDENTIAL clearances
carried over from the ISM?

Answer: Individuals with contractor granted CONFIDENTIAL
PCLs do not require escorts in an area where CONFIDENTIAL processing
is taking place, provided the access limitations prescribed by paragraph 2-205
are not exceeded.

Question: Paragraph 8-301f states that use of
software of unknown or suspect origin is "strongly discouraged."
However, in various security forums
around the country, DIS is saying that it can not
be used to process classified information. What is the policy?

Answer: DoD strongly discourages the use of software
derived from non-conventional sources because it is at greater
risk for malicious code.
However, the policy does not prohibit the use of
such software, provided proper procedures to review the software
prior to installation are documented
in the AISSP and followed.

Question: Paragraph 8-301h requires "vendor-supplied
software" used for maintenance or diagnostics be "controlled
as though classified." Is this
requirement restricted to software supplied only
by a vendor or does it apply to all maintenance and diagnostics
software?

Answer: All software used for maintenance or diagnostics
must be protected at the level of the accredited AIS. Exceptions
for vendor supplied software on
write-protected media may be permitted on a case-by-case
basis by the CSA. When authorized, procedures for handling such
software on write-protected
media must be contained within the AISSP.

Question: What are the marking requirements for AIS media?

Answer: In general, the overall marking requirements
of paragraph 4-200 apply. The media is marked as to its identification
(4-202), its overall
markings (4-203), and the classified by, downgraded
to and/or declassified on lines (4-208).

Question: Paragraph 4-311b of the 1991 ISM required
that AISs provide for "internally recorded" security
markings on AIS media. The NISPOM is
silent on this requirement. Are internal markings
required on AIS media?

Answer: For the dedicated and system high mode, it
is the responsibility of the user to ensure that appropriate markings
are affixed when classified
information is reproduced or generated. For the compartmented
and multilevel mode, security feature s of the AIS will automatically
affix the appropriate markings.

Question: Paragraph 8-302f requires that media
sanitization actions be verified. If I have a significant number
of classified media that need to be
sanitized, would each sanitization action require
verification?

Answer: As a general rule, only a random sampling
would need to be verified when using an approved degausser. However,
every sanitization action would
require verification when using an approved overwrite
utility.

Question: In addition to the verification of
the sanitization action, paragraph 8-302f requires a record be
annotated that "shows the date, the
particular sanitization action taken, and the person
taking the action." However, there isn't any mention of classification
level of the media and
since CONFIDENTIAL and SECRET do not require accountability,
must the record be annotated?

Answer: Yes. The requirement to record the sanitization
action is not classification dependent. It should be noted that
paragraph 8-303a(4) requires sanitization records be maintained as part
of the audit logs.

Question: Paragraph 8-303 states that the contractor
will retain audit trail records until reviewed but not more than
12 months. Is it permissible for the ISSR to release audit trail records once
they are reviewed?

Answer: No. The contractor is responsible for retaining
the latest 12 months of audit trail information for the CSA to
review. This applies to both the
security audit information (8-303) and the automated
audit trail information identified under t he security features
for the system high (8-208c), compartmented (8-211g) and multilevel (8-214a) mode.

Question: Paragraph 8-304a does not mention non-removable
storage media or any requirements for the use of non-removable
storage media during security
level upgrading. Can non-removable storage media
be used to process classified information?

Answer: Yes. Non-removable storage media can continue
to be used to process classified information. If used, certain
upgrading requirements (8-304a(4)), downgrading requirements (8-304b(2)) and declassification/sanitization
requirements (8-302g) must be identified in the AISSP.

Question: Paragraph 8-304a(5) requires that the
AIS be initialized with a dedicated copy of the operating system
protected commensurate to the
classified level of the information to be processed.
If I process CONFIDENTIAL, SECRET and TOP SECRET during different
independent processing
sessions, would I need three copies?

Answer: Yes, unless administrative and procedural
measures are taken that eliminate or reduce duplicate copies.
Contact your IS Rep or AIS Specialist for additional guidance.

Question: If I am downgrading from a TOP SECRET
session and have used non-removable media, what procedures do
I follow? Paragraph 8-304b(2) says
sanitize but the "Clearing and Sanitization
Matrix" says I can't use a three-time overwrite at the TOP
SECRET level.

Answer: Option "d" of the "Clearing
and Sanitization Matrix" is referring only to sanitization
for declassifying purposes. When downgrading (8-304b),
TOP SECRET media can be sanitized (i.e., three-time
overwrite).

Question: Paragraph 8-305 limits access to unattended
hardware only to personnel cleared for the highest level of classified
information processed on the AIS. If I have an accredited multilevel mode
system, can personnel cleared CONFIDENTIAL h ave access to unattended
equipment (e.g., terminals, printers) that process only CONFIDENTIAL information?

Answer: As a general rule, yes. Contact your IS Rep
or AIS Specialist for additional guidance.

Question: Paragraph 8-305c states that the logon
password file should be encrypted when practical. Since authentication
techniques, in this case
passwords, are required beginning at the system high
mode, should not the logon password file always be encrypted?

Answer: No. However, when the logon password file
is not encrypted, the AIS will need a strong access control policy.
This will permit only authorized
system administrators (e.g., ISSR) access to the
non-encrypted passwords.

Question: Paragraph 8-305d(2) does not address
the "one-way" connection of an unclassified AIS to a
classified AIS. Is this still permitted?

Answer: This paragraph is discussing "general"
connection requirements for collocated classified and unclassified
AISs. One-way connection is allowed
under specific conditions, when addressed in the
AISSP. Contact your IS Rep or AIS Specialist for additional guidance.

Question: Paragraph 8-306 states that cleared
maintenance or diagnostics personnel do not normally require an
escort but that need-to-know "must be enforced." This
is a big change from previous policy. What advice do you have?

Answer: The enforcement of need-to-know within the
context of paragraph 8-306 means simply that the company has an
obligation to ensure that personnel who
perform maintenance and diagnostic actions are limited
to data, information, hardware, firmware, and software for which
they are authorized.

Answer: A technically knowledgeable escort is preferred;
however as a minimum, the escort must be sufficiently knowledgeable
concerning the AISSP, established security policies and practices, and
escorting procedures.

Question: Paragraph 8-306c states that uncleared
personnel doing maintenance shall not use the dedicated copy of
the system software with a
direct security function. Please explain.

Answer: The dedicated copy of the system software
shall never be used by uncleared personnel, maintenance or not.
Even though system and/or
maintenance software is not classified, both require
control and protection at the level the AIS is accredited.

Question: Paragraph 8-306e states that maintenance
and diagnostics should be performed in the contractor facility
when practical. What does this
mean? The current practice in industry seems to be
the opposite.

Answer: Maintenance and diagnostics functions performed
within the contractor's facility is generally preferable because
the possibility of greater control exists; however, those functions
may be performed outside the facility at the discretion of the
ISSR. The ISSR must decide what is most
practical under a particular set of circumstances,
and security is but one of many considerations which must be taken
into account.

Question: Paragraph 8-306e states that any AIS
component or equipment released from secure control for maintenance
is no longer part of the
accredited system. Once equipment is repaired and
returned, can it again become part of the accredited system?

Answer: Yes, but in some cases the reintroduction
of equipment must be approved by the ISSR while CSA approval is
required in other cases. In
addition, beginning at the system high mode, the
equipment must be examined prior to reintroduction.

Question: Paragraph 8-306g requires the "contractor"
to approve the use of certain maintenance tools. Does the "contractor"
mean any employee, any
user or just the ISSR?

Answer: Only the ISSR and/or their security custodians
can approve the use of maintenance equipment. This may be accomplished
as part of the configuration
management procedures, which include specific approval
procedures and authorization requirements for the use of maintenance
equipment and are
described in the AISSP for each AIS.

Question: Paragraph 8-306h discusses the "proper
release procedures" that are completed before component boards
are allowed to leave the security
area. What are "proper release procedures?"

Answer: The "Clearing and Sanitization Matrix"
on page 8-3-5 discusses the technical requirements; the audit
requirements are discussed in paragraph 8- 303a(1).

Question: What procedures must be followed to
utilize remote diagnostic or maintenance services?

Answer: Paragraph 8-306i provides guidance on their
use.

Question: What procedures should be followed
to sanitize static random access memory (SRAM)?

Answer: The manner in which SRAM is used during a
classified session is critical in determining the appropriate
option identified on page 8-3-5. In
certain cases, information remains stationary within
the SRAM during processing. In those cases, op tions "c and
f" might be appropriate. But in
other cases, information "flows" through
the SRAM and option "g" might be most appropriate. Importantly,
procedures for effectively clearing and sanitizing
units with residual memory need to be coordinat ed
with DIS AIS Specialists.

Question: The footnote on the bottom of the Clearing
and Sanitization Matrix (page 8-3-5) states that all magnetic
tapes "must be labeled" as to
their "Type" if more than one type exists
and the contractor has an approved degausser. If I have only Type
I and II tapes and have an approved Type II
degausser, should the tapes be labeled?

Answer: As a general rule, no.

Question: Sections 1, 2 and 3 of Chapter 8 do
not include transmission control requirements. The 1991 ISM (paragraph
8-310) identified both Intra
and Inter-Complex requirements. The NISPOM in Section
4 (Networks) does discuss "Protected Distr ibution Systems"
(PDS) and National Security Agency
approved encryption methodologies but only as they
relate to transmitting classified information between network
components. What requirements do I
follow?

Answer: The absence of transmission control standards
within Chapter 8 was an oversight. Pending coordination and publication
of an AIS transmission
control policy for inclusion in the NISPOM, contractors
under DoD security cognizance are requested to follow the standards
contained in paragraph 8-310
of the 1991 ISM.